(twitter.com)

475 points danielstocks | 2 comments | 27 May 21 10:28 UTC | HN request time: 0.001s | source

Show context

paxys ◴[27 May 21 15:09 UTC] No.27304033[source]▶

>>27301219 (OP) #

Having at least authenticated sections of your site use HTTPS was standard well before 2011.

replies(5): >>27304324 #>>27304427 #>>27305411 #>>27307048 #>>27307466 #

tl ◴[27 May 21 15:43 UTC] No.27304427[source]▶

>>27304033 #

Let's Encrypt started in 2014 to address HTTP overuse.

In 2011, I (in-house corp app dev) was still stuck with HTTP services (behind a firewall, accessible only via VPN).

In 2014, public facing mobile apps using HTTP was prevalent enough to prompt name and shame campaigns. [1] My fuzzy memory suggests some banks were still using HTTP.

[1] https://arstechnica.com/information-technology/2014/08/new-w...

replies(4): >>27304815 #>>27304833 #>>27307101 #>>27307439 #

1. kaszanka ◴[27 May 21 19:54 UTC] No.27307439[source]▶

>>27304427 #

If the pages are only accessible via a VPN, what does HTTPS really get you?

replies(1): >>27308288 #

2. tl ◴[27 May 21 20:47 UTC] No.27308288[source]▶

>>27307439 (TP) #

Not needing a VPN. rimshot

In all seriousness, better security. You are leaking whatever payload is sent right after VPN drops. An early version of the application had a defect because it did not check response payloads on an endpoint (the code handled errors, but 200 OK was all it needed on success). This is not what you want when the 200 OK is followed by the HTML of a hotel's wi-fi access page.

↑

Klarna users are being signed in to random accounts